CVE-2026-33190: CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC

April 28, 2026 (updated May 8, 2026)

CoreDNS’ tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer’s TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC.

References

github.com/advisories/GHSA-qhmp-q7xh-99rh
github.com/coredns/coredns/releases/tag/v1.14.3
github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh
nvd.nist.gov/vuln/detail/CVE-2026-33190

Code Behaviors & Features

Detect and mitigate CVE-2026-33190 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →